Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-319-02937-5_6

2013-01-01

Abstract:We propose a non-interactive product argument, that is more efficient than the one by Groth and Lipmaa, and a novel shift argument. We then use them to design several novel non-interactive zero-knowledge (NIZK) arguments. We obtain the first range proof with constant communication and subquadratic prover's computation. We construct NIZK arguments for NP-complete languages, Set-Partition, Subset-Sum and Decision-Knapsack, with constant communication, subquadratic prover's computation and linear verifier's computation.

Prastudy Fauzi,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-662-45472-5_14

2014-01-01

Abstract:We propose a non-interactive zero knowledge pairwise multiset sum equality test (PMSET) argument of knowledge in the common reference string (CRS) model that allows a prover to show that the given committed multisets A(j) for j is an element of {1, 2, 3, 4} satisfy A(1) (sic) A(2) = A(3) (sic) A(4), i. e., every element is contained in A(1) and A(2) exactly as many times as in A3 and A(4). As a corollary to the PMSET argument, we present arguments that enable to efficiently verify the correctness of various (multi) set operations, for example, that one committed set is the intersection or union of two other committed sets. The new arguments have constant communication and verification complexity (in group elements and group operations, respectively), whereas the CRS length and the prover's computational complexity are both proportional to the cardinality of the (multi) sets. We show that one can shorten the CRS length at the cost of a small increase of the communication and the verifier's computation.

Wei Liu,Jian Weng,Bingsheng Zhang,Kai He,Junjie Huang

DOI: https://doi.org/10.1016/j.ins.2022.09.026

IF: 8.1

2022-01-01

Information Sciences

Abstract:Non-interactive zero-knowledge (NIZK) proof systems are very useful for statement verification without interaction in cryptography; they entail just one message, called the proof, that convinces the verifier of the truth of the statement without leaking any extra information. Many NIZK proof systems are related to quadratic residuosity languages and follow three main steps. First, the prover and the verifier sample a common reference string (CRS) in some particular form. Second, the prover proves that n is a Blum integer (BL , n = p 1 t 1 · p 2 t 2, where p 1 and p 2 are different primes both congruent to 3 modulo 4, and t 1 and t 2 are odd). Third, various statements (e.g., NQR n , OR n , AND n , T ( k , t ), and 3 SAT) can be proven by the prover based on the properties of BL . In this study, we improve the NIZK proof system for n ∈ BL based on the special distribution of the square roots modulo n and embed this proof in the third step. Moreover, we show that the CRS can be sampled more efficiently using the improved process.

Shuichi Katsumata,Ryo Nishimaki,Shota Yamada,Takashi Yamakawa

DOI: https://doi.org/10.1007/s00145-024-09503-8

2024-05-15

Journal of Cryptology

Abstract:A non-interactive zero-knowledge (NIZK) protocol enables a prover to convince a verifier of the truth of a statement without leaking any other information by sending a single message. The main focus of this work is on exploring short pairing-based NIZKs for all languages based on standard assumptions. In this regime, the seminal work of Groth, Ostrovsky, and Sahai (J.ACM'12) (GOS-NIZK) is still considered to be the state-of-the-art. Although fairly efficient, one drawback of GOS-NIZK is that the proof size is multiplicative in the circuit size computing the relation. That is, the proof size grows by , where C is the circuit for the relation and is the security parameter. By now, there have been numerous follow-up works focusing on shortening the proof size of pairing-based NIZKs, however, thus far, all works come at the cost of relying either on a non-standard knowledge-type assumption or a non-static q -type assumption. Specifically, improving the proof size of the original GOS-NIZK under the same standard assumption has remained as an open problem. Our main result is a construction of a pairing-based NIZK for all of whose proof size is additive in | C |, that is, the proof size only grows by , based on the computational Diffie-Hellman assumption over specific pairing-free groups and decisional linear (DLIN) assumption. As by-products of our main result, we also obtain the following two results: (1) We construct a perfectly zero-knowledge NIZK (NIPZK) for relations computable in with proof size where | w | is the witness length based on the DLIN assumption. This is the first pairing-based NIPZK for a non-trivial class of languages whose proof size is independent of | C | based on a standard assumption. (2) We construct a universally composable (UC) NIZK for relations computable in in the erasure-free adaptive setting whose proof size is from the DLIN assumption. This is an improvement over the recent result of Katsumata, Nishimaki, Yamada, and Yamakawa (CRYPTO'19), which gave a similar result based on a non-static q -type assumption. The main building block for all of our NIZKs is a constrained signature scheme with decomposable online-offline efficiency . This is a property which we newly introduce in this paper and construct from the DLIN assumption. We believe this construction is of an independent interest.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Nai-Hui Chia,Kai-Min Chung,Takashi Yamakawa

2023-10-30

Abstract:In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.

Quantum Physics,Cryptography and Security

Tao Lu,Chengkun Wei,Ruijing Yu,Chaochao Chen,Wenjing Fang,Lei Wang,Zeke Wang,Wenzhi Chen

DOI: https://doi.org/10.46586/tches.v2023.i3.194-220

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Zero-knowledge proof is a critical cryptographic primitive. Its most practical type, called zero-knowledge Succinct Non-interactive ARgument of Knowledge (zkSNARK), has been deployed in various privacy-preserving applications such as cryptocurrencies and verifiable machine learning. Unfortunately, zkSNARK like Groth16 has a high overhead on its proof generation step, which consists of several time-consuming operations, including large-scale matrix-vector multiplication (MUL), number-theoretic transform (NTT), and multi-scalar multiplication (MSM). Therefore, this paper presents cuZK, an efficient GPU implementation of zkSNARK with the following three techniques to achieve high performance. First, we propose a new parallel MSM algorithm. This MSM algorithm achieves nearly perfect linear speedup over the Pippenger algorithm, a well-known serial MSM algorithm. Second, we parallelize the MUL operation. Along with our self-designed MSM scheme and well-studied NTT scheme, cuZK achieves the parallelization of all operations in the proof generation step. Third, cuZK reduces the latency overhead caused by CPU-GPU data transfer by 1) reducing redundant data transfer and 2) overlapping data transfer and device computation. The evaluation results show that our MSM module provides over 2.08x (up to 2.94x) speedup versus the state-of-the-art GPU implementation. cuZK achieves over 2.65x (up to 4.86x) speedup on standard benchmarks and 2.18× speedup on a GPU-accelerated cryptocurrency application, Filecoin.

Jiaheng Zhang,Tiancheng Xie,Yupeng Zhang,Dawn Song

DOI: https://doi.org/10.1109/sp40000.2020.00052

2020-05-01

Abstract:We present a new succinct zero knowledge argument scheme for layered arithmetic circuits without trusted setup. The prover time is O(C + nlogn) and the proof size is O(D logC +log2 n) for a D-depth circuit with n inputs and C gates. The verification time is also succinct, O(D logC + log2 n), if the circuit is structured. Our scheme only uses lightweight cryptographic primitives such as collision-resistant hash functions and is plausibly post-quantum secure. We implement a zero knowledge argument system, Virgo, based on our new scheme and compare its performance to existing schemes. Experiments show that it only takes 53 seconds to generate a proof for a circuit computing a Merkle tree with 256 leaves, at least an order of magnitude faster than all other succinct zero knowledge argument schemes. The verification time is 50ms, and the proof size is 253KB, both competitive to existing systems. Underlying Virgo is a new transparent zero knowledge verifiable polynomial delegation scheme with logarithmic proof size and verification time. The scheme is in the interactive oracle proof model and may be of independent interest.

Sven Laur,Jan Willemson,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24861-0_18

2011-01-01

Abstract:Most of the multi-party computation frameworks can be viewed as oblivious databases where data is stored and processed in a secret-shared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle essential tools in privacy-preserving data analysis. As the first contribution, we present a 1-out-of-n oblivious transfer protocol with 0(log log n) rounds, which achieves optimal communication and time complexity and works over any ring Z(N). Secondly, we show how to construct round-efficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations.

Wei Puwen,Zhang Guoyan,Zhang Lijiang,Wang Xiaoyun

DOI: https://doi.org/10.1016/s1007-0214(09)70038-0

2009-01-01

Abstract:This paper shows that the protocol presented by Goyal et al.can be further simplified for a one-way function,with the simplified protocol being more practical for the decisional Diffie-Hellman assumption.Goyal et al.provided a general transformation from any honest verifier statistical zero-knowledge argument to a concurrent statistical zero-knowledge argument.Their transformation relies only on the existence of one-way functions.For the simplified transformation,the witness indistinguishable proof of knowledge protocols in"parallel"not only plays the role of preamble but also removes some computational zero-knowledge proofs, which Goyal et al.used to prove the existence of the valid openings to the commitments.Therefore,although some computational zero-knowledge proofs are replaced with a weaker notion,the witness indistinguishable protocol,the proof of soundness can still go through.

Ruta Jawale,Dakshita Khurana

2024-09-25

Abstract:A non-interactive ZK (NIZK) proof enables verification of NP statements without revealing secrets about them. However, an adversary that obtains a NIZK proof may be able to clone this proof and distribute arbitrarily many copies of it to various entities: this is inevitable for any proof that takes the form of a classical string. In this paper, we ask whether it is possible to rely on quantum information in order to build NIZK proof systems that are impossible to clone. We define and construct unclonable non-interactive zero-knowledge arguments (of knowledge) for NP, addressing a question first posed by Aaronson (CCC 2009). Besides satisfying the zero-knowledge and argument of knowledge properties, these proofs additionally satisfy unclonability. Very roughly, this ensures that no adversary can split an honestly generated proof of membership of an instance $x$ in an NP language $\mathcal{L}$ and distribute copies to multiple entities that all obtain accepting proofs of membership of $x$ in $\mathcal{L}$. Our result has applications to unclonable signatures of knowledge, which we define and construct in this work; these non-interactively prevent replay attacks.

Cryptography and Security,Quantum Physics

Xiaochen Li,Weiran Liu,Hanwen Feng,Kunzhe Huang,Yuke Hu,Jinfei Liu,Kui Ren,Zhan Qin

DOI: https://doi.org/10.1109/tdsc.2023.3263162

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The shuffle model is recently proposed to address the issue of severe utility loss in Local Differential Privacy (LDP) due to distributed data randomization. In the shuffle model, a shuffler is utilized to break the link between the user identity and the message uploaded to the data analyst. Since less noise needs to be introduced to achieve the same privacy guarantee, following this paradigm, the utility of privacy-preserving data collection is improved. We propose DUMP ( DUM my- P oint-based), a framework for privacy-preserving histogram estimation in the shuffle model. The core of DUMP is a new concept of dummy blanket , which enables enhancing privacy by just introducing dummy points on the user side and further improving the utility of the shuffle model. We instantiate DUMP by proposing two protocols: pureDUMP and mixDUMP, and conduct a comprehensive experimental evaluation to compare them with existing protocols. The experimental results show that, under the same privacy guarantee, (1) the proposed protocols have significant improvements in communication efficiency over all existing multi-message protocols, by at least 3 orders of magnitude; (2) they achieve competitive utility, while the only known protocol (Ghazi et al. , PMLR 2020) having better utility than ours employs hard-to-exactly-sample distributions which are vulnerable to floating-point attacks (CCS 2012).

ZZ Chen,MY Kao

DOI: https://doi.org/10.1137/s0097539798341600

1999-01-01

Abstract:We propose a general methodology for testing whether a given polynomial with integer coefficients is identically zero. The methodology evaluates the polynomial at efficiently computable approximations of suitable irrational points. In contrast to the classical technique of DeMillo, Lipton, Schwartz, and Zippel, this methodology can decrease the error probability by increasing the precision of the approximations instead of using more random bits. Consequently, randomized algorithms that use the classical technique can generally be improved using the new methodology. To demonstrate the methodology, we discuss two nontrivial applications. The first is to decide whether a graph has a perfect matching in parallel. Our new NC algorithm uses fewer random bits while doing less work than the previously best NC algorithm by Chari, Rohatgi, and Srinivasan. The second application is to test the equality of two multisets of integers. Our new algorithm improves upon the previously best algorithms by Blum and Kannan and can speed up their checking algorithm for sorting programs on a large range of inputs.

Moti Yung,Yunlei Zhao

DOI: https://doi.org/10.1007/11681878_2

2006-01-01

Abstract:We investigate the design and proofs of zero-knowledge (ZK) interactive systems under what we call the “restricted random oracle model” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la Fiat-Shamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the Feige-Shamir 4-round ZK argument for $\mathcal{NP}$ in this model: First we show that a 2-round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the public-key model, a modified protocol in our model is, in fact, concurrently secure in the bare public-key model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the Feige-Shamir ZK in the public-key model (for which it was not originally designed).

Dun Qiu,Jeffrey Remmel

DOI: https://doi.org/10.48550/arXiv.1806.04348

2020-04-13

Abstract:Gorsky and Negut introduced operators $Q_{m,n}$ on symmetric functions and conjectured that, in the case where $m$ and $n$ are relatively prime, the expression ${Q}_{m,n}(1)$ is given by the Hikita polynomial ${H}_{m,n}[X;q,t]$. Later, Bergeron-Garsia-Leven-Xin extended and refined the conjectures of ${Q}_{m,n}(1)$ for arbitrary $m$ and $n$ which we call the Extended Rational Shuffle Conjecture. In the special case ${Q}_{n+1,n}(1)$, the Rational Shuffle Conjecture becomes the Shuffle Conjecture of Haglund-Haiman-Loehr-Remmel-Ulyanov, which was proved in 2015 by Carlsson and Mellit as the Shuffle Theorem. The Extended Rational Shuffle Conjecture was later proved by Mellit as the Extended Rational Shuffle Theorem. The main goal of this paper is to study the combinatorics of the coefficients that arise in the Schur function expansion of ${Q}_{m,n}(1)$ in certain special cases. Leven gave a combinatorial proof of the Schur function expansion of ${Q}_{2,2n+1}(1)$ and ${Q}_{2n+1,2}(1)$. In this paper, we explore several symmetries in the combinatorics of the coefficients that arise in the Schur function expansion of ${Q}_{m,n}(1)$. Especially, we study the hook-shaped Schur function coefficients, and the Schur function expansion of ${Q}_{m,n}(1)$ in the case where $m$ or $n$ equals $3$.

Combinatorics

Yl Zhao,Xt Deng,Ch Lee,H Zhu

DOI: https://doi.org/10.1007/3-540-39200-9_8

2003-01-01

Abstract:A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upper-bounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt'01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].

Hassan Jameel Asghar,Arghya Mukherjee,Gavin K. Brennen

2024-09-06

Abstract:We present a quantum protocol which securely and implicitly implements a random shuffle to realize differential privacy in the shuffle model. The shuffle model of differential privacy amplifies privacy achievable via local differential privacy by randomly permuting the tuple of outcomes from data contributors. In practice, one needs to address how this shuffle is implemented. Examples include implementing the shuffle via mix-networks, or shuffling via a trusted third-party. These implementation specific issues raise non-trivial computational and trust requirements in a classical system. We propose a quantum version of the protocol using entanglement of quantum states and show that the shuffle can be implemented without these extra requirements. Our protocol implements k-ary randomized response, for any value of k > 2, and furthermore, can be efficiently implemented using fault-tolerant computation.

Quantum Physics,Cryptography and Security

Mireya Jurado,Ramon G. Gonze,Mário S. Alvim,Catuscia Palamidessi

2023-05-22

Abstract:Local differential privacy (LDP) is a variant of differential privacy (DP) that avoids the need for a trusted central curator, at the cost of a worse trade-off between privacy and utility. The shuffle model is a way to provide greater anonymity to users by randomly permuting their messages, so that the link between users and their reported values is lost to the data collector. By combining an LDP mechanism with a shuffler, privacy can be improved at no cost for the accuracy of operations insensitive to permutations, thereby improving utility in many tasks. However, the privacy implications of shuffling are not always immediately evident, and derivations of privacy bounds are made on a case-by-case basis. In this paper, we analyze the combination of LDP with shuffling in the rigorous framework of quantitative information flow (QIF), and reason about the resulting resilience to inference attacks. QIF naturally captures randomization mechanisms as information-theoretic channels, thus allowing for precise modeling of a variety of inference attacks in a natural way and for measuring the leakage of private information under these attacks. We exploit symmetries of the particular combination of k-RR mechanisms with the shuffle model to achieve closed formulas that express leakage exactly. In particular, we provide formulas that show how shuffling improves protection against leaks in the local model, and study how leakage behaves for various values of the privacy parameter of the LDP mechanism. In contrast to the strong adversary from differential privacy, we focus on an uninformed adversary, who does not know the value of any individual in the dataset. This adversary is often more realistic as a consumer of statistical datasets, and we show that in some situations mechanisms that are equivalent w.r.t. the strong adversary can provide different privacy guarantees under the uninformed one.

Cryptography and Security

Cheng-Long Li,Kai-Yi Zhang,Xingjian Zhang,Kui-Xing Yang,Yu Han,Su-Yi Cheng,Hongrui Cui,Wen-Zhao Liu,Yang Liu,Bing Bai,Hai-Hao Dong,Jun Zhang,Xiongfeng Ma,Yu Yu,Jingyun Fan,Qiang Zhang,Jian-Wei Pan

DOI: https://doi.org/10.1073/pnas.2205463120

2023-01-01

Abstract:Zero-knowledge proof (ZKP) is a fundamental cryptographic primitive that allows a prover to convince a verifier of the validity of a statement without leaking any further information. As an efficient variant of ZKP, noninteractive zero-knowledge proof (NIZKP) adopting the Fiat-Shamir heuristic is essential to a wide spectrum of applications, such as federated learning, blockchain, and social networks. However, the heuristic is typically built upon the random oracle model that makes ideal assumptions about hash functions, which does not hold in reality and thus undermines the security of the protocol. Here, we present a quantum solution to the problem. Instead of resorting to a random oracle model, we implement a quantum randomness service. This service generates random numbers certified by the loophole-free Bell test and delivers them with postquantum cryptography (PQC) authentication. By employing this service, we conceive and implement NIZKP of the three-coloring problem. By bridging together three prominent research themes, quantum nonlocality, PQC, and ZKP, we anticipate this work to inspire more innovative applications that combine quantum information science and the cryptography field.

Borja Balle,James Bell,Adria Gascon,Kobbi Nissim

DOI: https://doi.org/10.1145/3372297.3417242

2022-12-19

Abstract:The shuffle model of differential privacy (Erlingsson et al. SODA 2019; Cheu et al. EUROCRYPT 2019) and its close relative encode-shuffle-analyze (Bittau et al. SOSP 2017) provide a fertile middle ground between the well-known local and central models. Similarly to the local model, the shuffle model assumes an untrusted data collector who receives privatized messages from users, but in this case a secure shuffler is used to transmit messages from users to the collector in a way that hides which messages came from which user. An interesting feature of the shuffle model is that increasing the amount of messages sent by each user can lead to protocols with accuracies comparable to the ones achievable in the central model. In particular, for the problem of privately computing the sum of $n$ bounded real values held by $n$ different users, Cheu et al. showed that $O(\sqrt{n})$ messages per user suffice to achieve $O(1)$ error (the optimal rate in the central model), while Balle et al. (CRYPTO 2019) recently showed that a single message per user leads to $\Theta(n^{1/3})$ MSE (mean squared error), a rate strictly in-between what is achievable in the local and central models. This paper introduces two new protocols for summation in the shuffle model with improved accuracy and communication trade-offs. Our first contribution is a recursive construction based on the protocol from Balle et al. mentioned above, providing $\mathrm{poly}(\log \log n)$ error with $O(\log \log n)$ messages per user. The second contribution is a protocol with $O(1)$ error and $O(1)$ messages per user based on a novel analysis of the reduction from secure summation to shuffling introduced by Ishai et al. (FOCS 2006) (the original reduction required $O(\log n)$ messages per user).

Cryptography and Security